A Cyber Security Review

436
-1

Published on

A review of cyber security covering enterprise, consumer and critical infrastructure protection.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
436
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

A Cyber Security Review

  1. 1. A Cyber Security Review Simon Moffatt CISSP CISA MBCS November 2012
  2. 2. A Cyber Security Review 2 Table of ContentsSynopsis...............................................................................................................................3(Cyber) War On Terror........................................................................................................4 Motives............................................................................................................................4 Targets.............................................................................................................................5 Government Lead Defence.............................................................................................6From Lone Wolves to Botnets, APTs to AETs..................................................................8 Lone Wolves & Botnets..................................................................................................8 APTs to AETs................................................................................................................9Enterprise Protection..........................................................................................................11 Attack Vectors and Entry Points...................................................................................11 Basic Defence in Depth.................................................................................................12 Offense and Response...................................................................................................14 Enterprise Protection Conclusion..................................................................................15Consumer Protection..........................................................................................................16 Everythings Online.......................................................................................................16 Vulnerabilities - Learning and Spotting........................................................................16 Protection Steps.............................................................................................................17Critical Infrastructure.........................................................................................................19 Difference of Priorities: CIA to AIC.............................................................................19 Vulnerabilities - Nature or Nurture?.............................................................................20 Basic Security Erosion..................................................................................................21 Recent Attacks and a Change in Culture.......................................................................21 Infosecprofessional.com 2
  3. 3. A Cyber Security Review 3SynopsisThe following paper covers a range of cyber security topics that were initially publishedas separate articles for the Infosec Professional blog site between October to November2012. Infosecprofessional.com 3
  4. 4. A Cyber Security Review 4(Cyber) War On TerrorAny device that connects to the internet is now a potential target, with the motives nowbecoming political, as control of the information highway becomes paramount.US government security expert Richard A. Clarke, in his book Cyber War (May 2010),defines "cyberwarfare", as "actions by a nation-state to penetrate another nationscomputers or networks for the purposes of causing damage or disruption". This initialsentence is paraphrased straight from Wikipedia, but could just as well have come from asci-fi movie of the mid 1980s. Cyber war is no longer an imaginary concept, cocoonedin the realms of laser gun protection and x-ray vision. Its an everyday occurrence,impacting governments, corporate enterprise and individuals.MotivesInternet security in the past has mainly been focused on protecting privately held assets(namely web, FTP and email servers) from being hacked. Hackers would come invarious different guises from the script kiddies learning to code, with ideas they hadlearnt that day at college, right through to hacktervists, aiming to make a mark forthemselves by defacing a newspaper or corporate website. Today, attacks cover a rangeof motives. Cash can be a main driver, especially behind many of the sophisticatedconsumer focused malware attacks. Ransomware has recently hit the headlines, hittingindividuals with cash release clauses in order to return laptops and files in working order.Online banking and financial services customers, have long time been hit by emailphishing and attempts to deceive individuals of their username and password details. Themain goal? Cash. Either through fraud of direct transfer, money has been the aim for thearmies of complex botnet operators. Infosecprofessional.com 4
  5. 5. A Cyber Security Review 5The motive has advanced however, to a more country lead level and is now comfortablyembedded in the toolbox of military weapons. US Defence Secretary Leon Panetta, saidthe cyber attack capability from countries like Iran was growing, and that US authoritiesbelieved that Iran was behind several attacks on oil and gas companies in the PersianGulf. The main motive is to cause disruption.Disruption causes panic and destabilization and ultimately acts as a propaganda tool toshow who really is in control of a particular asset or environment.TargetsIn early October 2012, the Pentagon confirmed that they themselves were on thereceiving end of a cyber attack. The White House would not confirm reports that theattack originated in China, but did describe the incident as a spear-fishing attempt.The ongoing political isolation between the United States and Iran, has left many arguingthat the recent attacks on US government assets, are a direct retaliation for the monetarysanctionscurrently imposed on Iran.Conversely, the powerful Stuxnet worm found in 2010, which primarily focused on theSiemens SCADA infrastructure within the Iran nuclear enrichment plants, was originallydeveloped with nation-state support, with many speculating Israeli backing.The subtly and remote nature of cyber warfare, makes its development seem natural, in atime when political tensions are rising either due economic changes or the charge fordemocracy. Infosecprofessional.com 5
  6. 6. A Cyber Security Review 6The main targets generally seem to be the major infrastructure installations. Asdisruption and denial-of-service seem to be the name of the game, water, electricity andcommunications infrastructure would seem to have the biggest impact on a nationsgeneral well being.From a communications perspective, the aspect can be more subtle. Again in 2012, a USHouse of Representatives Intelligence Committee directive, report that dealings withChinese telecoms supplier Huawei, should be banned. The UK, Australia and Canada arelooking to create similar intelligence reports, against a network provider that has investedover £150m in the UK telecoms backbone in the last 10 years. Whilst a direct attack hasnot been acknowledged, the gathering of intellectual property and clandestine scanning ofnetwork traffic would be a major concern.Government Lead DefenceThe last 3 years has seen some significant strategic steps being taken by severalgovernments, when it comes to cyber security defence and offence.In 2009, the US formed USCYBERCOM, a department of defence initiative to protectthe militarys information networks. Also in 2009, Howard Schmidt took the role ofcyber security co-ordinator and advisor to the Obama administration. Although he retiredfrom the role this year, it earmarked a new beginning in cyber security management,research and defence.From a UK perspective, GCHQ performs in a similar vain to the USs National SecurityAgency and has recently announced a new research capability, with partnerships withseveral top UK universities. The partnerships aim to make it easier for businesses,individuals and government to take informed decisions about how to implement bettercyber protection measures. Infosecprofessional.com 6
  7. 7. A Cyber Security Review 7China too has recently released a new policy outlining its approach to IT in general andhow to counteract and defend against online attacks.Whilst the cost of attacks (and indeed the readiness for organisations and governments toacknowledge being the victim of an attack), is largely unknown, many institutions areputting in place infrastructure, personnel and policies to allow attack and defencemechanisms based on internet resources to take place. Infosecprofessional.com 7
  8. 8. A Cyber Security Review 8From Lone Wolves to Botnets, APTs to AETsCyber attacks in 2012, evolve from several different, highly optimised and professionaltechniques for implementing and distributing malware. This can comprise of individuallone wolf style attacks, right through to the complex networks of robots, capable ofdistributing malware on a vast scale. I will briefly examine the components of anAdvanced Persistent Attack and the increasing rise of Advanced Evasion Techniques,being used by malware to avoid detection.Lone Wolves & BotnetsThe Lone Wolf - In any walk of life the lone wolf is seen to be independent, agile andpotentially unpredictable. Whilst these characteristics are often seen to be difficult todefend against in a cyber security landscape, being an individual can have its limitations.In the new dawn of the internet era (yes I know, what was that like?) in the early 90s,the appearance of individual hackers was often portrayed as glamorous and cool. Thescript-kiddy style attacker was generally male, 18-23 years old and a self-badgednerd/geek/social outsider. Their main motive for attacking online systems was simply forprestige and credibility, driving for acceptance of their technical aptitude.Today, there has been a significant movement to a more targeted and explicitlyaggressive type of lone wolf attacker. The evolution from script-kiddy to lamer, tocracker and fully fledged hacker has been swift, with tooling, training and support easilyavailable on line. Their main motives tend to political (hacktivist) or for automatedincome, aiming to harvest and sell identity or banking data from individuals. If income isthe driver, the relative safety, anonymity and low investment costs often make on linecrime more effective than street style criminality. Infosecprofessional.com 8
  9. 9. A Cyber Security Review 9Botnets - Robot networks are large scale and complex attack systems. Often controlledby organised criminals, a botnet contains several different components. The networkitself, is controlled by a bot-herder, which in turn manages several command and control(C&C) centres. These C&Cs then help to remotely manage the bots.The bots are simply infected machines on the internet, belonging to everyday users,unaware their machine is infected. These bots then combine, to perform an attack,generally either of a denial of service style, utilising the large processing power availableto them, or a data harvesting exercise, often collecting personal information such asidentity or social security data.The botnet owners, often have the ability to create their own bespoke malware, which canbe distributed online via email attachments, infected URLs (masked via phishing attacks,or more latterly altered QR links) or other USB drops. The botnets are increasinglybecoming more professionalised and sophisticated, adapting to new technologies(Twitter has been used as a command channel, with encoded tweets used to contain C&Cmessages). The main driver is cash. Automated income supplies are often the end goal,which again, compared to street crime is often less risky and more rewarding.APTs to AETsAdvanced Persistent Threats - APTs as the name suggests, are advanced targeted piecesof cyber attack software, often developed by large scale organisations or even nationstates. APTs generally contain several different pieces of highly optimised components,joined together to perform denial of service or data harvesting attacks. A botnet could beinvolved in helping to execute the components. APTs often have a specific target, withrecent attacks being focused on SCADA style industrial control system and criticalinfrastructures (Stuxnet, Duqu). The APT will contain an initial payload distributed viasocial engineering techniques, USB drops, email and infected URLs. Once the initialisercode is distributed, other secondary components such as access escalation tools,data harvesters and propagators are often used to complete the attack. Infosecprofessional.com 9
  10. 10. A Cyber Security Review 10Code is often self replicating and modifying, making detection and removal difficult. Asa result, the true impact of some of the more complex APTs is unknown.Advanced Evasion Techniques - AETs are not themselves malware of pieces or specificattack software. The evasion technique is a relatively new term, used to describe howmalware payloads are now using new approaches to avoid detection by next generationfirewalls (NGFWs) and intrusion detection systems (IDSs). AETs help to obfuscate theunderlying malware code, that helps to evade the often signature based approach tochecking inbound network traffic. There are several new tools on the market place, thatcan help to test the underlying network security devices for any potential vulnerabilitiesin the ability to prevent malware bypassing perimeter security. Whilst not all trafficusing an AET will be malware, its another tool that is being used in the pursuit ofmalware distribution.Research by security firm Stonesoft, identified 147 possible atomic evasion techniques.When thinking that techniques could be combined, that is a staggering array of newvectors that could be exploited. Many of the techniques involve using unusual or rarelyused protocol properties or design flaws with regards to device memory or configuration.As the number of services, users and online ecommerce transactions increase, so too willthe sophistication and professionalism of attackers and the software and techniques theyuse. Infosecprofessional.com 10
  11. 11. A Cyber Security Review 11Enterprise ProtectionAny device connected to the internet is open to attack from either highly complex botnetsright through to an individual port scanning for on line ftp or database servers. Corporatenetworks are no stranger to being specifically targeted, or infected with malware that isdelivered via the public network.Attack Vectors and Entry PointsFirewall & Network Perimeter - Historically, enterprise security was often viewed withan us and them mentality. Everything on the internal LAN was safe, anything past theDMZ and on the internet was potentially bad. The main attack vector in, was through thecorporate firewall and any other perimeter network entry points. The firewall was seenas the ultimate protection mechanism and as long as desktops had anti-virus softwareinstalled, that was as much as many organisations needed to do.USB - Desktop PCs where the end goal and they were attacked either through HTTPpayloads from websites of dubious origin, or malware was often distributed via email, inattachments such as Excel spread sheets or files containing macros. The profileration ofUSB devices also assisted in the distribution of malware, as large files were often easierto copy offline.BYOD - Whilst those issues still exist in many organisations, cyber threats have evolvedsignificantly. Smartphones are omnipresent in the enterprise, whether via Bring YourOwn Devices (BYOD) or via internally managed hardware. This brings anotherdimension. Not only is malware common across a variety of smartphone operatingsystems, but the smartphones alter the perimeter of the safe internal network.Smartphones will have separate data network access, either via 3G/4G or wifi, for accesson unsecured networks (or at least unmanaged from the corporations perspective). Infosecprofessional.com 11
  12. 12. A Cyber Security Review 12Add to that fact that they can also be used as network hotspots, bringing a smartphone towork, could easily be creating a un-firewalled, un-managed router on every desktop.Social Media & Social Engineering - The onset of social media has also broughtdifferent angles. Not only are the numerous social media sites used for malwaredistribution and botnet control, they also give an attacker a new level of informationwhen it comes to spear phishing or targetted attacks. Publicly held information aboutsenior individuals within an organisation, makes social engineering attacks moresophisticated and more likely to succeed.Basic Defence in DepthCyber protection (like any information security protection) is best applied when done indepth. Having one secure layer of protection, no matter how complex, will be breachedat some time in the future. When it is, its imperative to have several obfuscated layersunderneath.Network Security - The network perimeter needs protecting. No doubt about that. Next-generation firewalls provide high and low level OSI stack scanning. Gone are the days ofsimple port blocking rules. Intrusion detection systems are also a default for many largerorganisations. The recent concept of advanced evasion techniques, brings in to questionthe ability for the current batch of network perimeter devices, to be able to detectcomplex network delivery configurations, that help to distribute malware payloads.General network asset management and scanning is also important, not only to helpidentify smartphone related hotspots and leaks out to the internet, but also forunauthorised devices, especially those configured to use IPv6 on IPv4 only networks. Infosecprofessional.com 12
  13. 13. A Cyber Security Review 13Access Management - A long time problem for larger organisations, is the constantprovisioning and de-provisioning of user accounts. The use of least privilege is a must asis regular certification (the checking of existing users and their access levels). Role basedaccess control can also be a major benefit, especially when it comes to the user on-boarding process, however this can be complex to implement. Device level accessshould also be well managed. Root or administrator equivalent access should berestricted, a long with restricted file system access, with device management andconfiguration changes not permitted. Unless its required for the individuals role, policiesshould be restrictive but not inhibitive.Patching - The age old issue of patching. Software of course should be updated to thelevel recommended by the vendor. The simple reason, is that from a managementperspective, the best support will be received from the vendor or partner, if the mostrecent patches and service packs are installed. Zero-day attacks are now commonpractice, with vulnerabilities being exploited before a patch has been provided. In thiscase, there is a counter argument, to say that newer software could well be more buggyand vulnerable to attack, as it had less time in real world implementation environments.From a simple risk management perspective however, applying patches as soon aspossible, can help to get the vendor to accept some of the recovery process, if a breach orissue has occurred.Anti-virus and URL Scanning - Anti-virus is again an age old issue from a managementperspective. From the initial anti-virus installation and build, to the distribution of newdefinitions and then the scanning of machines and recording of infections, anti-virus iskey, but also a major headache. Youre only as strong as the weakest link and it takesonly one machine not to be covered to cause an issue. Virus protection must now cover arange of devices, from laptops, smart phones and print devices, to routers, firewalls andswitches, if theyre sophisticated enough to have a basic operating system. Infosecprofessional.com 13
  14. 14. A Cyber Security Review 14Metrics for coverage rates and infection rates are important, as it not only helps withissue detection, but can also provide return on security investment data too - which willhelp fund projects and build business cases.URL scanners are also popular. This is more about the new concept of reputation basedanalysis. By using data from other infected parties, databases can be built that can checka formed URL to see if it has been involved with malicious activity or malwaredistribution. The same concept can also be applied to public subnets.Offense and ResponseA key message from any CISO to the management board of an organisation, is that theywill be attacked and breached as some point. There is no such thing as total protection.The same can be said of risk management. Risks of a great scale can never be removedentirely, simply reduced or transferred.Incident Response - With that said, a strong process and control centre for data breachand cyber attack recovery and incident response is important. That should include bothtechnical forensic tools and the correct people and processes in place to make themeffective. An incident should be properly assessed, with an understanding of theimpacted parties and the scope of the attack. Once a full understanding of the attack hastaken place, some stop the bleeding style actions should be taken to limit the impact andexposure. This could include tactical short term fixes or changes. Following this shouldinclude a detailed root cause analysis phase, with more strategic remediation steps.SIEM, Logging and Forensics - For an incident response to take place, that requires thedetection of an incident in the first place. In order to detect an attack requires severalinterlinked and correlated pieces of security data. Infosecprofessional.com 14
  15. 15. A Cyber Security Review 15Security Information & Event Monitoring (SIEM) tools should be used to centrally storeand manage logs from multiple devices. Signature based analysis can certainly help withthe scanning of known attacks, with behaviour profiling technologies helping with theunknown. Forensics style analysis for post-incident management is also popular, withsecure duplication of logs and files often hashed to confirm a snapshot has taken place.Enterprise Protection ConclusionI think the main overriding aspect for enterprise cyber protection, is that as a large scaleorganisation, you will be attacked at some point. That maybe a virus infection, data theft,or a defaced website, but both proactive and reactive measures must be in place to makerisk management of the situation effective. Those measures must also be both technicaland personnel related. Infosecprofessional.com 15
  16. 16. A Cyber Security Review 16Consumer ProtectionCyber attacks have been well documented in their ability to damage large organisations,government websites and critical infrastructure. However, there is still a large volume ofnon-technical home and mobile users who are ending up as the victim of on line attacksand identity theft.Everythings OnlineWell, not quite everything, but most things. You can certainly do all you shopping online. Banking? Yep. Store your music, photos and apps? Yep. Watch movies and TV?Yep. Interact with other people? Yep. So, practical, every day aspects can generally beautomated and placed on line. The main consumers of on line products and services, isobviously the digital native. The generation Yers and below, who were literally born,not with a silver spoon, but a smartphone hanging out of their mouth.Laptops can obviously do everything a desktop could do, but faster and cheaper. Withthe added option of being portable and using wireless networking. A laptop itself, wouldbe pretty useless without an internet connection. In reality, not many people would use alaptop without the wifi or ethernet LAN connection disabled.Vulnerabilities - Learning and SpottingThe use of more portable devices, including smart phones, has increased userconvenience, but also opened up a can of worms when it comes to security. Smartphonesare not really phones. Theyre computers, that happen to make calls. The phone itselfwill contain considerable personal and potentially work related data. Contacts, emails,attachments, internet browsing history, cookies, bookmarks, saved and cached passwordsand so on.However, the main vulnerability with respect to consumers, is often not the technologythey use, but how they use it. Infosecprofessional.com 16
  17. 17. A Cyber Security Review 17If you went to a new town or city and someone totally unknown, came up to you andtried to sell you a second hand car, you would probably walk away. You dont know thepersons history or credibility and if you wanted to buy a car, you would want to see it,get a review, test drive it and so on. Your basic inner-suspicions would take hold andyou would walk away.Those same instincts should be applied to on line browsing, but many users are oftenblinded by the technology and unfamiliar intermediate steps involved with buyingproducts and services on line. Phishing is popular, as is social engineering - weve allheard the stories of the prince of Nigeria requiring urgent funds to allow safe passage fortheir daughter who happens to be in your local town.Protection StepsBasic instincts count for a lot. If you receive an email from someone unknown, dontexpect it to contain winning lottery information, or a link to photos from your past. Howcould it? If an on line deal seems to cheap to be true, it probably is. Use sites that you arefamiliar with. Reviews of products and services are now available for nearly everythingand are available free.From a tech, perspective, treat your on line tooling the same as you would your physicaldevices, like cars and cookers. Make sure theyre up to date and well serviced. If yourlaptop, operating system or browser is running an old version, get it updated with patchesand service packs. Anti-virus, anti-malware and firewall tools should be installed as aminimum default and kept up to date too.Dont use public wifi for things like on line banking, or if you absolutely have to, put inplace a local SSH tunnel to add some additional anti-sniffing protection. SSL is anabsolute must for any website that requires authentication, including remote emailviewing via IMAP or SMTP. Infosecprofessional.com 17
  18. 18. A Cyber Security Review 18From a smart phone perspective, make sure the OS is up to date, use a 6 digit password toaccess it (as opposed to a PIN), encrypt the local phone contents and set up insurancesand remote-wipe features in case of theft.As more and more of our daily lives will involve on line transactions of some sort, theunfamiliarity aspect of the tooling should fade, allowing our instincts to perform someprotection against social engineering, leaving technology to start the fight against APTs. Infosecprofessional.com 18
  19. 19. A Cyber Security Review 19Critical InfrastructureSupervisory Control and Data Acquisition (SCADA) systems and Industrial ControlSystems (ICS) are two of the standard environments that can constitute a criticalenvironment. Whilst many financial services environments can be described as critical,critical infrastructure is more focused on the key assets described by a government asbeing essential to the standard function of the society and economy. This would includekey utilities such as electricity and water supply, public health institutions and nationalsecurity groups such as policing and the military.In recent years they have been subject to specific and prolonged attacks, opening up longstanding vulnerabilities.Difference of Priorities: CIA to AICThe standard information security triad consists of confidentiality, integrity andavailability. The priorities for many business information systems will followthe CIA approach in that order. Confidentiality is still the number one priority, withthings like access management, network perimeter security and data loss preventionstrategies still the number one budget grabber. The main driver behind such decisions, isoften related to the protection of intellectual property, client records or monetarytransactions. The output of many service related organisations, obviously takes on amore intangible nature, placing a greater reliance on digital management, storage anddelivery of the processes and components that make that organisation work.From a critical infrastructure perspective, I would argue the priorities with regards to thesecurity triad, alter, to focus more on availability, with integrity and confidential beingless important. An electrical generation plant has one main focus: generate and distributeelectricity. A hospital has one priority: keep people alive and improve their health. Infosecprofessional.com 19
  20. 20. A Cyber Security Review 20These types of priorities, whilst relying on information systems substantially, are oftenmanaged in a way that makes their delivery more important than the component systemsinvolved.This difference in attitudes towards how security policies are implemented, can have asignificant impact on vulnerability and exploit management.Vulnerabilities - Nature or Nurture?Vulnerability management from a consumer or enterprise perspective is often applied viaa mixture of preventative and detective controls. Preventative comes in the form ofpatching and updates, in an attempt to limit the window of opportunity from things likezero-day attacks. Detective defence comes in the form of anti-virus and log managementsystems, which help to minimise impact and identify where and when a vulnerability wasexploited. The many basic steps often associated with enterprise protection, are often notalways available within critical infrastructure environments.Critical infrastructure is often built on top of legacy systems using out dated operatingsystems and applications. These environments often fail to be patched due to the lack ofdowntime or out of hours permitted work. ICS and energy generation systems, generallydont have a downtime period, as they work 24 x 7 x 365. Outage is for essentialmaintenance only and preventative patching wont necessarily fall into being an essentialoutage. Due to the age and heterogeneity of such systems, a greater focus on additionalpatch management would seem natural. Many critical infrastructure environments arealso relatively mature in comparison to modern digital businesses.Mechanisation of industrial and energy related tasks is well over a century old, withcomputerization coming only in the last 35 years. This maturity, has often resulted incultural and personnel gaps when it comes to information security. Infosecprofessional.com 20
  21. 21. A Cyber Security Review 21Basic Security ErosionSome of the existing security related policies that have been implemented in criticalinfrastructure environments are now starting to erode. The basic, but quite powerful andpreventative measure, of using air gapped networks to separate key systems from theadministrative side of the organisation, is now being eroded. The need for greatermanagement information, reporting and analytical systems, has lead to cross networkpollution. The low level programmable logic controllers (PLCs), used for single purposeautomation of electromechanical tasks, are now being exposed to the potential of thepublic network. Through the connection of desktop and laptop devices to previouslysecured networks, has brought the risk of infection from internet related malware a lothigher.Recent Attacks and a Change in CultureThe two major exploits, focused specifically on critical infrastructure relatedenvironments in the last couple of years, have probably been the Stuxnet and Duquattacks. Whilst the motives for these attacks are maybe different to the standard monetaryor credibility drivers for malware, they illuminated the potentialfor mass disruption. Aswith any security attack, post-incident awareness and increased focus often result, withseveral new attempts at securing critical infrastructure now becoming popular. There areseveral government lead and not-for-profit organisations that have contributed to securityframeworks for critical environments.Kasperky labs also recently announced plans to develop a new build-from-the-ground-upsecure operating system, with a focus on critical environments. Infosecprofessional.com 21
  22. 22. A Cyber Security Review 22Whilst previously only focused on the availability and delivery of key services andproducts, critical infrastructure environments, now have to manage the increasing threatposed by cyber attacks and malware exposure. Infosecprofessional.com 22

×